Cybersecurity Risk Management and Strategy Disclosure	12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Abstract]
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]	Cybersecurity Risk Management and Strategy In the ever-evolving digital age, effective cybersecurity management has become an undeniable priority for organizations of all sizes. In this context, a proactive and comprehensive approach is essential to ensure the protection of digital assets and maintain the trust of customers and stakeholders. Our business involves the collection, storage, processing and transmission of customers’, suppliers and employees’ personal or sensitive data. As a result, we may be subject to breaches of the information technology systems we use for these purposes. See “Item 3.D—Risk Factor—Risks Relating to Our Business—Our business is subject to cyberattacks and security and privacy breaches” for further details on this matter. When we face a cybersecurity incident, we believe we act quickly to contact the responsible teams. We then develop an action plan to resolve the issue and subsequently identify improvement measures to be implemented quickly to prevent the incident from becoming recurring. Our action plan is prepared by our cybersecurity team in collaboration with other responsible parties impacted by the incident. This plan is designed to address not only immediate measures, but also short, medium and long-term strategies. This plan is subject to analysis by our audit, risks and LGPD areas to ensure its compliance and effectiveness. Furthermore, in cases where the severity of the incident is considerable for us, the incident is promptly communicated to our Board of Directors and/or our Audit Committee for assessment. We believe we adopt a proactive stance, with investment in adequate resources, which makes it possible to mitigate cyber threats and protect our digital assets in the modern age. Additionally, we engage independent third parties on an as-needed basis to assess our cybersecurity capabilities, including to identify ongoing situations and assess how to mitigate any impacts on us and, if necessary, take preventive action, as well as to follow global market trends. The results of these assessments are shared with our audit committees, including the Fiscal Council. We believe the hiring of new professionals (cybersecurity service providers, auditors, consultancies, among others) reflects our dedication to continuously improving our processes and adopting what we understand to be cutting-edge tools, all with the aim of maintaining a safe environment. However, we also recognize the importance of a quick response to specific incidents when necessary. Therefore, we have flexibility to carry out targeted hirings in response to emerging demands. Our surveillance covers not only internal systems, but also service providers that have access to our environment to ensure all aspects of our ecosystem are being constantly monitored and protected. Given we consider cyber risk to be one of our main corporate risks, we work on the various layers of security, implementing security barriers at different levels of the environment, including firewalls, antivirus, access policies, among others. Diversifying defenses increases infrastructure resilience and reduces the likelihood of successful cyberattacks. We periodically analyze cyber risks and identify possible vulnerabilities, providing actions to mitigate them. All our employees, as well as service providers, are part of this scope, and actions are taken according to each identified situation. We believe that one of the important points for combating cyberattacks is an organizational culture that values cyber security, which is essential for strengthening defenses against digital threats. Accordingly, we take continuous action to strengthen this culture, including disseminating guidance booklets, lives and videos on the matter. Individuals should be aware of recommended security practices and should recognize signs of suspicious activity and understand their responsibilities in protecting the organization’s data. Additionally, we have an information security procedure in place for information technology, available to all employees, which outlines conduct, responsibilities and operational boundaries for employees and business units. As mentioned in our Form 6-K furnished to the SEC on October 22, 2024, on October 16, 2024, we were subject to a cyberattack, which caused instability in our digital network, leading to some non-critical systems being unavailable for a few days. We immediately took all security and control measures and put into practice a plan to restore the affected systems. Following the attack, we engaged experienced external advisors to investigate the cyberattack, including its causes, scope, and potential perpetrators. As part of our ongoing monitoring efforts, we became aware that cybercriminals disclosed the affected data, which was unstructured, but consistent with our records. The external advisor assessed the disclosure and identified that these records included non-sensitive information and low sensitive information. We informed the ANPD in accordance with applicable law. We continue to monitor the situation and closely cooperate with the ANPD as appropriate. Our ability to maintain water supply and sewage collection and treatment operations was not affected by the cyberattack. As of the date of this annual report, we have not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. See “Item 3.D—Risk Factor—Risks Relating to Our Business—Our business is subject to cyberattacks and security and privacy breaches.” for further details on this matter.
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]	false
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]	we have not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition.
Cybersecurity Risk Board of Directors Oversight [Text Block]	Cybersecurity Governance We have instituted a governance structure for monitoring cyber risks. Our audit committees monitor the matter in meetings held at least once a year and, in such meeting, the information technology department presents the actions taken, facilitating discussions and enabling the proposal of new actions to address the matter, as necessary. These committees monitor these actions periodically, whether at ordinary or extraordinary meetings. We have a Corporate Risks area responsible for carrying out annual assessments of the main risks we face, including cyberattacks. In this assessment, we consider both the potential impact and the probability of occurrence of each cyber risk. Based on these criteria, we determine the necessary level of reporting, which ranges from reporting to our local management (for low impact risks and remote probability) to reporting to our Board of Directors (for high impact risks and imminent probability). We have also established a security area as part of our organizational structure that acts continuously and promptly on issues related to cybersecurity, with ongoing reporting to superiors on the progress of its activities. The reporting process takes place at meetings with our Chief Information Officer and at our Audit Committee’s annual meeting, where we present the progress of cybersecurity initiatives led by our security team, including our monitoring measures related to the risk of cyberattack to ensure the transparency of our activities and strategic guidance. The security area team is responsible for assessing and managing cybersecurity risks and has in-depth expertise in information and technology security, with a solid academic background and extensive professional experience in relevant areas, such as cybersecurity, computer networks, and other related topics. The team is prepared to deal with the challenges that cybersecurity presents. In addition, we have a Security Operations Center (SOC) dedicated to the continuous monitoring of our systems, who reports to our security team. Using specialized processes, procedures and tools, the SOC aims to identify any potential security incidents. If a potential threat is detected, protocols are activated, with the mobilization of responsible teams and the use of appropriate tools. After confirming the incident, we conduct a thorough analysis of its causes, identifying the mitigation and/or remediation measures necessary to resolve the problem. During this process, we consider the relevance of each action for the effective resolution of the incident.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]	Our audit committees monitor the matter in meetings held at least once a year and, in such meeting, the information technology department presents the actions taken, facilitating discussions and enabling the proposal of new actions to address the matter, as necessary. These committees monitor these actions periodically, whether at ordinary or extraordinary meetings.
Cybersecurity Risk Role of Management [Text Block]	We have a Corporate Risks area responsible for carrying out annual assessments of the main risks we face, including cyberattacks. In this assessment, we consider both the potential impact and the probability of occurrence of each cyber risk. Based on these criteria, we determine the necessary level of reporting, which ranges from reporting to our local management (for low impact risks and remote probability) to reporting to our Board of Directors (for high impact risks and imminent probability).
Cybersecurity Risk Management Positions or Committees Responsible [Flag]	true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]	We have also established a security area as part of our organizational structure that acts continuously and promptly on issues related to cybersecurity, with ongoing reporting to superiors on the progress of its activities. The reporting process takes place at meetings with our Chief Information Officer and at our Audit Committee’s annual meeting, where we present the progress of cybersecurity initiatives led by our security team, including our monitoring measures related to the risk of cyberattack to ensure the transparency of our activities and strategic guidance.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]	The security area team is responsible for assessing and managing cybersecurity risks and has in-depth expertise in information and technology security, with a solid academic background and extensive professional experience in relevant areas, such as cybersecurity, computer networks, and other related topics. The team is prepared to deal with the challenges that cybersecurity presents.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]	true

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Abstract]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity Risk Management and Strategy

In the ever-evolving digital age, effective cybersecurity management has become an undeniable priority for organizations of all sizes. In this context, a proactive and comprehensive approach is essential to ensure the protection of digital assets and maintain the trust of customers and stakeholders.

Our business involves the collection, storage, processing and transmission of customers’, suppliers and employees’ personal or sensitive data. As a result, we may be subject to breaches of the information technology systems we use for these purposes. See “Item 3.D—Risk Factor—Risks Relating to Our Business—Our business is subject to cyberattacks and security and privacy breaches” for further details on this matter. When we face a cybersecurity incident, we believe we act quickly to contact the responsible teams. We then develop an action plan to resolve the issue and subsequently identify improvement measures to be implemented quickly to prevent the incident from becoming recurring.

Our action plan is prepared by our cybersecurity team in collaboration with other responsible parties impacted by the incident. This plan is designed to address not only immediate measures, but also short, medium and long-term strategies. This plan is subject to analysis by our audit, risks and LGPD areas to ensure its compliance and effectiveness. Furthermore, in cases where the severity of the incident is considerable for us, the incident is promptly communicated to our Board of Directors and/or our Audit Committee for assessment. We believe we adopt a proactive stance, with investment in adequate resources, which makes it possible to mitigate cyber threats and protect our digital assets in the modern age. Additionally, we engage independent third parties on an as-needed basis to assess our cybersecurity capabilities, including to identify ongoing situations and assess how to mitigate any impacts on us and, if necessary, take preventive action, as well as to follow global market trends. The results of these assessments are shared with our audit committees, including the Fiscal Council. We believe the hiring of new professionals (cybersecurity service providers, auditors, consultancies, among others) reflects our dedication to continuously improving our processes and adopting what we understand to be cutting-edge tools, all with the aim of maintaining a safe environment. However, we also recognize the importance of a quick response to specific incidents when necessary. Therefore, we have flexibility to carry out targeted hirings in response to emerging demands. Our surveillance covers not only internal systems, but also service providers that have access to our environment to ensure all aspects of our ecosystem are being constantly monitored and protected.

Given we consider cyber risk to be one of our main corporate risks, we work on the various layers of security, implementing security barriers at different levels of the environment, including firewalls, antivirus, access policies, among others. Diversifying defenses increases infrastructure resilience and reduces the likelihood of successful cyberattacks. We periodically analyze cyber risks and identify possible vulnerabilities, providing actions to mitigate them. All our employees, as well as service providers, are part of this scope, and actions are taken according to each identified situation.

We believe that one of the important points for combating cyberattacks is an organizational culture that values cyber security, which is essential for strengthening defenses against digital threats. Accordingly, we take continuous action to strengthen this culture, including disseminating guidance booklets, lives and videos on the matter. Individuals should be aware of recommended security practices and should recognize signs of suspicious activity and understand their responsibilities in protecting the organization’s data. Additionally, we have an information security procedure in place for information technology, available to all employees, which outlines conduct, responsibilities and operational boundaries for employees and business units.

As mentioned in our Form 6-K furnished to the SEC on October 22, 2024, on October 16, 2024, we were subject to a cyberattack, which caused instability in our digital network, leading to some non-critical systems being unavailable for a few days. We immediately took all security and control measures and put into practice a plan to restore the affected systems. Following the attack, we engaged experienced external advisors to investigate the cyberattack, including its causes, scope, and potential perpetrators.

As part of our ongoing monitoring efforts, we became aware that cybercriminals disclosed the affected data, which was unstructured, but consistent with our records. The external advisor assessed the disclosure and identified that these records included non-sensitive information and low sensitive information. We informed the ANPD in accordance with applicable law. We continue to monitor the situation and closely cooperate with the ANPD as appropriate. Our ability to maintain water supply and sewage collection and treatment operations was not affected by the cyberattack.

As of the date of this annual report, we have not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. See “Item 3.D—Risk Factor—Risks Relating to Our Business—Our business is subject to cyberattacks and security and privacy breaches.” for further details on this matter.

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

we have not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition.

Cybersecurity Risk Board of Directors Oversight [Text Block]

Cybersecurity Governance

We have instituted a governance structure for monitoring cyber risks. Our audit committees monitor the matter in meetings held at least once a year and, in such meeting, the information technology department presents the actions taken, facilitating discussions and enabling the proposal of new actions to address the matter, as necessary. These committees monitor these actions periodically, whether at ordinary or extraordinary meetings. We have a Corporate Risks area responsible for carrying out annual assessments of the main risks we face, including cyberattacks. In this assessment, we consider both the potential impact and the probability of occurrence of each cyber risk. Based on these criteria, we determine the necessary level of reporting, which ranges from reporting to our local management (for low impact risks and remote probability) to reporting to our Board of Directors (for high impact risks and imminent probability).

We have also established a security area as part of our organizational structure that acts continuously and promptly on issues related to cybersecurity, with ongoing reporting to superiors on the progress of its activities. The reporting process takes place at meetings with our Chief Information Officer and at our Audit Committee’s annual meeting, where we present the progress of cybersecurity initiatives led by our security team, including our monitoring measures related to the risk of cyberattack to ensure the transparency of our activities and strategic guidance. The security area team is responsible for assessing and managing cybersecurity risks and has in-depth expertise in information and technology security, with a solid academic background and extensive professional experience in relevant areas, such as cybersecurity, computer networks, and other related topics. The team is prepared to deal with the challenges that cybersecurity presents.

In addition, we have a Security Operations Center (SOC) dedicated to the continuous monitoring of our systems, who reports to our security team. Using specialized processes, procedures and tools, the SOC aims to identify any potential security incidents. If a potential threat is detected, protocols are activated, with the mobilization of responsible teams and the use of appropriate tools. After confirming the incident, we conduct a thorough analysis of its causes, identifying the mitigation and/or remediation measures necessary to resolve the problem. During this process, we consider the relevance of each action for the effective resolution of the incident.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our audit committees monitor the matter in meetings held at least once a year and, in such meeting, the information technology department presents the actions taken, facilitating discussions and enabling the proposal of new actions to address the matter, as necessary. These committees monitor these actions periodically, whether at ordinary or extraordinary meetings.

Cybersecurity Risk Role of Management [Text Block]

We have a Corporate Risks area responsible for carrying out annual assessments of the main risks we face, including cyberattacks. In this assessment, we consider both the potential impact and the probability of occurrence of each cyber risk. Based on these criteria, we determine the necessary level of reporting, which ranges from reporting to our local management (for low impact risks and remote probability) to reporting to our Board of Directors (for high impact risks and imminent probability).

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

The security area team is responsible for assessing and managing cybersecurity risks and has in-depth expertise in information and technology security, with a solid academic background and extensive professional experience in relevant areas, such as cybersecurity, computer networks, and other related topics. The team is prepared to deal with the challenges that cybersecurity presents.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true